501 ch 8 risk managment tool

Proprietary & Confidential
@GoCyberSec | January, 2020
Chapter 8
Using Risk Management Tools
CompTIA Security +

Introduction
• Understanding risk management
• Comparing scanning and testing tools
• Using security tools

Understanding Risk Management
• Risk
– Likelihood that a threat will exploit a vulnerability
• Vulnerabilities
– Weaknesses
• Threats
– Potential danger
• Impact
– Magnitude of harm

Threat
• Event that compromises confidentiality, integrity, or availability
– Malicious human threats
– Accidental human threats
– Environmental threats

Threat Assessment
• Helps identify and organize threats
• Attempts to identify:
– Potential threats
– Likelihood of threat (priority)
– Potential impact
– Security controls

Vulnerability
• Flaw or weakness (in software, hardware, or process)
–Lack of updates
–Default configurations
–Lack of up-to-date malware protection
–No firewall
–Lack of organizational policies

Risk Assessments
• Practice of identifying, monitoring, and limiting risks to a
manageable level
• Cannot eliminate risks
• Amount of risk that remains after managing risk is residual risk

Risk Response Techniques
Method Comments
Avoid Not participate in risky activity.
Transfer
Outsource. Purchase insurance.
Sometimes referred to as sharing risk.
Mitigate Implement controls to reduce risks. Antimalware
reduced risk from malware
Accept
Use if cost of control greater than the benefit.
Remaining risk is residual risk.

Risk Assessments
• First steps
–Identify assets and asset value
• Quantitative
–Uses specific monetary amounts to identify cost and asset values
• Qualitative
–Uses judgment to categorize risks based on probability and
impact

Quantitative Risk Assessment
• SLE (single loss expectancy)
–Cost of any single loss
• ARO (annual rate of occurrence)
–How many times the loss will occur annually
• ALE (annual loss expectancy)
–SLE × ARO

Quantitative Risk Assessment
• Laptop cost $2,000
• Employees lose one a month
–What is SLE?
–What is ARO?
–What is ALE?
• Formulas
–ALE = SLE × ARO
–ARO = ALE / SLE
–SLE = ALE / ARO

Qualitative Risk Assessment
• Likelihood of occurrence
–Probability that an event will occur
–Probability that a threat will attempt to exploit a vulnerability
• Impact
–Magnitude of harm resulting from a risk
–Negative result of the event
–Loss of confidentiality, integrity, or availability of a system or
data

Qualitative Risk Assessment
• Web server selling products on the Internet
–Probability of being attacked
–Impact
• Library computer
–Probability of being attacked
–Impact

Risk Assessments
• Documenting the assessment
• Results valuable
–Help organization evaluate threats and vulnerabilities
–Should be protected
–Only accessible to management and security professionals

Risk Register
• A record of information on identified risks
• A repository of information on risks
• Often recorded in a table
• Category
• Specific risk
• Likelihood
• Impact
• Risk score
• Security controls
• Contingencies
• Risk score (with controls)
• Action assigned to
• Action deadline

Supply Chain Assessment
• Supply chain
–Materials
–All the processes required to create and distribute a product
• Assessment evaluates these elements
–Identifies risks such as single point of failure

Checking for Vulnerabilities
• Determines the security posture of a system
• Identifies vulnerabilities and weaknesses

• Password cracker
–Attempts to discover passwords
• MD5 Hash: 161ebd7d45089b3446ee4e0d86dbcf92
• Password: P@ssw0rd
• Offline password cracker
• Online password cracker

• Network scanner
–Nmap, Netcat, Nessus
–Ping scan
–Arp ping scan
–Syn stealth scan
–Service scan
–OS detection

Zenmap

• Wireless scanners
• Rogue system detection

• Banner grabbing

Vulnerability Scanning
• Identify vulnerabilities and misconfigurations
- Open ports
- Weak passwords
- Default accounts
- Sensitive data
- Security and configuration errors
• Passively test security controls
- Does not exploit vulnerabilities

• Identify lack of security controls
- Systems without patches
- Systems without antivirus software
• False positive
- Scan detected a vulnerability
- But the vulnerability doesn’t actually exist
• False negative
- Vulnerability exists
- But the scan did not detect it

• Credentialed scan vs. Non-credentialed scan
• Configuration compliance scans
• Obtaining authorization
- A penetration test can cause system instability
- Without consent you may be perceived as an attacker

Penetration Testing
• Assesses deployed security controls
• Determine the impact of a threat
• Starts with passive reconnaissance (such as a vulnerability scan)
• Follows with attempt to exploit vulnerabilities

Penetration Testing
• Passive reconnaissance
–Collects information
–Often uses open-source intelligence
• Active reconnaissance
–Uses tools to gather information
–Typically includes vulnerability and network scans
• Initial exploitation
–Exploits vulnerabilities

Penetration Testing
• Escalation of privilege
–Attempts to gain additional privileges
• Pivot
–Use exploited system to exploit other systems
• Persistence
–Take steps to retain presence on network

Penetration Testing
• Black box testing
–Testers have zero knowledge of the environment prior to the
test
–Often use fuzzing
• White box testing
–Testers have full knowledge of the environment
• Gray box testing
–Testers have some knowledge of the environment

Comparisons
• Vulnerability scanning
–Nonintrusive and passive
–Little impact on a system during a test
–Probes systems to identify vulnerabilities
–Does not take action to exploit vulnerabilities
• Penetration testing
–Intrusive and active
–Can potentially compromise a system

Exploitation Frameworks
• Metasploit Framework
• BeEF (Browser Exploitation Framework)
• w3af (Web Application Attack and Audit Framework)

Using Security Tools
• Protocol analyzer (sniffer)
–Capture, display, and analyze packets sent over a network
–Can examine IP headers
• View protocols, flags, source and destination info
–Useful when troubleshooting communication problems
–Useful to detect manipulated or fragmented packets
–Can view unencrypted network traffic including passwords sent
in clear text

WireShark

Monitoring Logs
• Operating system logs
–Continuously record information that can be useful in
troubleshooting and gaining information
–Application Log
–System log
–Security log
• Firewall and router access logs

Monitoring Logs
• Linux logs
• Antivirus logs
• Application logs
• Performance logs
• Review logs regularly
• Store logs in central location
–Provides protection against attacks

SIEM
• Security Information and Event Management
–Aggregation
–Correlation engine
–Automated alerting
–Automated triggers
–Time synchronization
–Event deduplication
–Logs/WORM
• Continuous Monitoring

Auditing and Reviews
• Usage auditing and reviews
–Logs and identifies user actions
–Useful during investigations
• Permission auditing and review
–Ensures that users have only the access they need and no
more
–Ensures that inactive accounts are either disabled or deleted

Chapter 8 Summary
• Understanding risk management
• Comparing scanning and testing tools
• Using security tools

501 ch 8 risk managment tool

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 501 ch 8 risk managment tool

Similar to 501 ch 8 risk managment tool (20)

More from gocybersec

More from gocybersec (10)

Recently uploaded

Recently uploaded (20)

501 ch 8 risk managment tool

Editor's Notes